[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available
Andrew Bartlett
abartlet at samba.org
Thu Sep 8 01:39:47 MDT 2011
On Thu, 2011-09-08 at 09:23 +0200, Martin Wilck wrote:
> Hi Andrew,
>
> > Samba 3.5 (latest release) and Samba 3.6 now default to the
> > server-provided SPN being untrusted and unused. Samba 3.6 also does not
> > send it by default. No new software should start using this principal,
> > and now all modern servers will not send it.
>
> Please let me repeat my dumb question: Once a Windows user has logged in
> to the AD Domain, she'll be able to access all shares in the domain
> (which her account is allowed to use) without having to retype the
> domain password. Am I wrong assuming this works through Kerberos somehow?
>
> On Linux clients, users need to retype passwords all the time. That
> makes Linux machines 2nd class network members, at least psychologically
> for their users. The reason (in my environment) is that the samba tools
> are unable to figure out the correct SPN. I understand your argument
> that trying to do that via the server-provided name is insecure. That
> means there must be some other way, as Windows clients are able to find
> the SPN. What is it?
The name of the server is the right name, ie the name in the UNC path or
URL. Do your linux users mount by IP address perhaps?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list